Posted
by
CowboyNealon Friday September 07, 2007 @07:28AM
from the careful-what-you-share dept.

Bomarc writes "Via the KOMO-TV website, an article from the Associated Press about how Gregory Thomas Kopiloff used Limewire, Soulseek and other peer-to-peer file-sharing programs to troll other computers for financial information, which he used to open credit cards for an online shopping spree, according to a four-count indictment unsealed in US District Court on Thursday. The news article isn't big on details, but it does outline the risks with peer-to-peer file-sharing programs."

Umm, ripping from streams is definitely harder than typing a filename into a text box, searching and double clicking a track to download. It's this ease of use that made P2P so prolific. Even Joe six-pack could do it and mp3 files were no longer the domain of underground IRC communities and FTP shares.

Precisely. Preventing personal data from leaking onto P2P networks is simply a matter of proper configuration of the client. As the summary states, there's very little detail in the article about how the information was actually accessed; all that would be required is a few pointers to help people prevent the

"Precisely. Preventing personal data from leaking onto P2P networks is simply a matter of proper configuration of the client."

The same can be said for Windows. Now why doesn't slashdot give it as fair a shake as it does P2P?

There's a difference between configuration problems and actual security vulnerabilities like buffer overflows and such. This article is making is sound like there are actual vulnerabilities in the P2P app, rather than people just being dumb and configuring it to share their entire C drive or something. That can be fixed by a little user education. An actual vulnerability would require a patch to fix.

The vulnerability is between the keyboard and chair. Norms get lured onto these sketchy p2p networks to get "free" music and movies, but they haven't a clue what they're actually doing and the implications of various configuration options.I'm sure that if someone released a Napster-style P2P app that defaults to sharing the entire contents of your hard drive, many people would praise it for having so many files available. People don't bother, they just install the program and within seconds they're playin

I'm sure that if someone released a Napster-style P2P app that defaults to sharing the entire contents of your hard drive, many people would praise it for having so many files available.

Right, and that would be a problem with the default settings of the application, and something that the app creator should address. A problem similar to the default password situation that Microsoft used to have with SQL Server, or that Linksys has with their home wireless routers. However, if the person decides to change the default to share their entire drive, that's not a problem with P2P software, it's a problem with the user and should be presented as such. This article doesn't even attempt to addr

My point was that users would actually like that sort of security vulnerability, because to their untrained eyes, the vulnerability is invisible...If you buy a car, whose locks can be opened by every key issued by that auto maker, you won't know until someone drives off with your car; and even then, you might assume they just used the good ol' slim jim then shorted your starter. You won't realize your car is vulnerable until an "expert" finds out and tells you, in simple terms, why your car sucks.

Precisely. Preventing personal data from leaking onto P2P networks is simply a matter of proper configuration of the client. As the summary states, there's very little detail in the article about how the information was actually accessed; all that would be required is a few pointers to help people prevent the sharing of sensitive files, but TFA seems to be following the fear-mongering route instead with quotes like "If you are running file-sharing software, you are giving criminals the keys to your computer

In April, it's fun to search the file sharing networks for ".tax" files (and other common files used for tax returns by Turbo Tx, Taxcut, etc.)

I would never recommend viewing such information or committing any crimes, but it's interesting to see one IP address with tens or hundreds of tax returns shared. If you hire an outside tax preparer, be aware!

Imagine - your SSN, name, address, a list of banks that have paid you interest, a list of stocks that you own, your taxable income and amount of tax paid (which the IRS uses as proof that you are who you say you are, if you perform an online inquiry), etc.

And the victim doesn't even realize that their PAID PREPARER is sharing the information with the world! No lie! There are hundreds available every April!

PS, Don't try to call any of the individuals and tip them off - they have a tendency to shoot the messenger!

You exemplify such a great attitude towards the world; it helps create what it is. To say, its the users fault for keeping information on his/her personal computer that could POTENTIALLY if not realistically be accessed by people who are breaching someone else's personal space is to misrepresent the problem. Keeping any kind of information, regardless of whether you are "file-sharing" or not does not mean another user has free reign to read/execute/extrapolate that information in any way they see fit. Sa

We need xml joke tags on here.:PI had a mental image of someone running Windows as Administrator installing Kazaa, Limewire, whatever the p2p 1337 app of the week is, and manually sharing out their whole drive. Of course it's not okay to just abuse things, and there *should* be a reasonable level of security in keeping data on your computer.

That said, a computer should be operated as non-uid=0, and only switch when critical tasks MUST be done, but hey...that still wouldn't fix this. If I run a file shari

Well a technical solution to making a mistake about something you don't even understand (inexperienced/ignorant users) is essentially impossible and may be why Win has the problems it has. My gripe really was with blaming the victim in that instance though, well, even if it is a joke. No worries, though.

Well a technical solution to making a mistake about something you don't even understand (inexperienced/ignorant users) is essentially impossible and may be why Win has the problems it has.

Articles like this one don't do anything to improve the situation though. Instead of telling people that they shouldn't share their entire hard drive with their P2P app, and explaining how to prevent that from happening, it just goes off and rants about how P2P apps are so dangerous and they're stealing your data and letting anyone get all your files! Makes me wonder who's behind this story...

Because there's more good music available on Soulseek; you can see the bitrate before you download it; you can talk to users in rooms about the music first; you can download the same album from more than one person for speed; you don't end up waiting in vain for the last 6.9% of a torrent; you can ban leeches; it's trivial to upload your own music (I have no idea how to share something via BitTorrent - I think I have to read stuff and run programs etc = very boring. Perhaps

It's great if you are doing that on a Linux machine with a SMB share called c:\. You could keep them busy for hours if you seeded the share properly. Include lots of links to your PayPal account, Bank of America, Barcleys,... the phishing sites..

An old Kazaa trick I used to entertain myself back in the day. Mainly to see what NOT to do on a resume, but you could get pretty adequate information from them. Some people included birthday, SSN, other stuff that should never be on a resume.

Yeah, we used to do this on a college file-sharing network. We'd search for files that were on the root of the drive, like "io.sys", and find all the people who were sharing their entire hard drives. Then we'd root through their documents and find compromising pictures of them and make fun of them in the main chat, usually followed by the advice "STOP SHARING YOUR ENTIRE DRIVE."

There was also a correspondence between assigned IPs and the different dormitories, which was apparently easy enough to figure out, with the result that the ops often freaked out new users by telling them where they lived.

I forgot about this one. We had a student at my first university that put up a search engine for the network. Twice a day it'd ping all the computers on campus (1600 students, maybe 800 living on campus) and then store the results in a database.

It was just a 'dumb' spider so it went everywhere it could.

jpg would turn up 'private' party pictures. doc's would turn up Resume's and homework solutions... those were the days.

And we did the same thing you did. Anyone sharing everything would get a nice desktop text file "README"./Anyone remember searchtree?

Just as with any case along these lines, services that may allow crimes to be committed need to be separated from the crimes themselves.

As far as I can tell, there are many ways to mine for personal information on the internet that do not require the use of P2P sharing programs. In this case, should the usage of the internet as a whole be deemed unlawful?

I don't keep any sensitive information on my computers, in stead I put all the information I want to secure, passwords, account numbers, on line payment information, and administration info, in a plane old paper address book. Even if someone came in and physically took my computers they would have no access to my accounts. Also, if I want to remove access to all information I simply pick up the one address book and walk away. Yes, it is a hassle to type in the information each time but I don't have to wo

From the article: "If you are running file-sharing software, you are giving criminals the keys to your computer," said assistant U.S. attorney Kathryn Warma. "Criminals are getting access to incredibly valuable information."
This woman sure adds some emotions to her wordings! It's not like she's added any media spin! [usdoj.gov] never! [nwsource.com]. Sheesh. This woman must be aiming for a job with microsoft. From the last link I just provided: "We know that Robert Soloway is one of the most prolific spammers in the world," Wa

on a non factual, personal opinion basis I would guess that more than 15 or 20% of the internet is gaming (number of gamers + bandwith requirements on servers), maybe 5-10% specifically is youtube, maybe 5% is porn ads. I don't think its that much anymore since its not neccessarily high bandwith if its a bunch of garbled text full image porn ads are easily blocked by websites, the text is not. I'd guess another 20% is streaming services (non youtube/hdtv/etc), another 20% is bittorrent, and the rest is rand

Exactly. Any, and just about all, applications on a computer can pose a danger to you if you don't know what you're doing and think you do. Those annoying people who claim to know everything about computer and really don't are the real dangerous ones, to themselves and those who believe that they know everything. I know of more than one instance where C: was shared over an open network, because the person had discovered that that allowed them to get their files from another computer and never considered the

Seriously, this reminds me of morons who used to share their entire hard drives out to file sharing apps.

I remember seeing printouts of peoples' password lists, even full bank account and investment broker information, complete with contact info, and all the personal ID data, etc. All found by people trolling the network for more than just MP3s.

Kopiloff is charged with mail fraud, accessing a protected computer, and two counts of aggravated identity theft. Authorities allege he victimized at least 83 people.

I can understand the other charges, but accessing a protected computer? I'd think it would be reasonable to assume files that are found on a p2p network are meant to be shared. IANAL, but if he gets convicted for that, wouldn't that allow a "I'm sorry, I never meant to share these mp3's" defense in most, if not all, of the RIAA cases?

If when you read the article, your thought is "OMG people can access all my files if I use P2P" then you probably are also the type of person who can't figure out how not to share your entire hard drive. It is a valid article in that sense... P2P is a security danger to people who conclude P2P is a security danger after reading the article and probably should stop using it.

This is exactly the angle the media companys should leverage. Instead of combating what they perceive as piracy with more complicated and restrictive drm, they should work on the simple solution of providing the best source for their product.

If the price / convenience / value ratios make you the best source for your product, people will scramble to get it from you. For money even! Back it up with an ad campaign reinforcing how safe and accessible you are and i guarantee you won't lose.

The problem now is the value of recorded music is zero. Nobody I know pays. Why would they? Safety? Convenience? When a small bit of common sense will protect you from the robbers and thugs out there and everything you want is available?No, the crash is going to come pretty soon I think. Anyone "selling" music is doomed, as is their entire infrastructure. If you create graphics for bands who pay you from music sales, better find a new job. If your job is supplying plastic for jewel cases used by CD

Take your white washing elsewhere.Last time I checked, RECORD COMPANIES make money from CD sales. BANDS make money from live shows and merchandise. There are a few big name exceptions to this, but for the average "known only to college students that think they are hip" bands, they make squat from CDs.

So, expect RECORD COMPANIES to collapse. (Which is a good thing, as they, along with the classic buggy whip makers are outdated.)

I know about 5 bands that are very small, play live a bit, and released their o

The problem now is the value of recorded music is zero. Nobody I know pays. Why would they? Safety? Convenience?

Supporting the artist is why I do it.

See, the music has value to me in that I want to hear it, and I want to support the people who produce the music I want to listen to. That way, they'll make more of it. Cause otherwise, all that's left is Brittany and whatever other dreck is in the charts.

I can't stand the *AA's either, but the people who actually produce music, do produce something which has

The user's computer exposure to web criminals was not due to the user's lack of attention to minute details of the program, but by the criminal negligence on the part of the programmer to shield the user's data from his program's access.
In other words, the programmer of the P2P software is at fault for allowing his program to default into a dangerous state! The P2P program should be forcing the user to create a new and specific folder on the hard disk for files that will be shared. Then t

The user's computer exposure to web criminals was not due to the user's lack of attention to minute details of the program, but by the criminal negligence on the part of the programmer to shield the user's data from his program's access.

I'd go further and say that in at least some cases automatically sharing everything (or at least all media files) is an intentional (mis)feature of the P2P programs. The folks that make these programs often gain from the popularity of their programs either through advertisi

If you line of thinking were to be followed, it would hasten the death of the general purpose computer. If the non-technical masses were to be using these 'terminals', then the general purpose machines would be mostly relegated to hobbyists and business use.

I dont see a problem with that scenario. Though i think that a PC in 'buiness setting' is also overkill and unsafe. Business users dont need any more power then a terminal ( think thin-client movement )

Listen as long as there are idiots, no software can be safe.Howmuchever security you build into a software is based on the assumption that an intelligent user will try to break it.Like the saying goes, fools sometimes rush in and get the job done where angels fear to tread.

If the provider was running things properly the end user would have to request the software to be installed and configured. ( if it wasnt already and only needed access ) They wouldn't be able to do it on their own and hose things up due to lack of appropriate rights.

If the 'entre server' was shared, or the end user was able to even install an application, its the providers fault and they should be shut down.

This is the consumer equivalent of the age-old problem in the corporate world of printing something to the wrong printer, something that resulted in many a red face and more than a few leaks of confidential information. It is an information security problem -- how do you prevent a user from erroneously placing confidential information in an insecure space? The problem is the same whether the insecure space is a printer, an extranet site, or a directory structure shared by a file sharing program.

Shockingly, if you share your entire hard drive in P2P that WILL include all your personal information and people WILL take it and possibly do bad things with it. Most P2P software actually includes warnings against doing this and by default, only shares a specific created directory. Users would have to manually add their whole hard drive.

lol
I download something from Napster
And the same guy I downloaded it from starts downloading it from me when I'm done
I message him and say "What are you doing? I just got that from you"
"getting my song back fucker"